I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

we should create a bug bounty program. They seem to be increasingly popular, but do they do any good for actually improving the security of software products?

Imagine there is a room of 50 motivated, very smart and tech-savvy men and women poring over your products -- stress testing them, using them illogically and bombarding them with input to try and find if there are any flaws in the code that could be misused.

Would you prefer those people to be working with you or against you?

Any business software vendor will have many more times that number of hackers working against them; cybercriminals and nation states will always be looking for vulnerabilities that can be exploited to steal data or gain control of the devices or system on which the software resides. Creating a bug bounty program to encourage and reward security researchers who responsibly report security bugs is the only way to even up the numbers and hopefully find out about coding flaws before they are found and abused by attackers.

Cybercrime and cyberespionage are big businesses, and new critical vulnerabilities are highly prized -- they can earn the finder up to $200,000 on the black market. Firms like Vupen and Netragard operate as exploit brokers, often selling vulnerabilities to American and European governments and agencies. While the underground market for software vulnerabilities is well developed, the white-hat market is still very much in its infancy, but, thankfully, it is maturing fast. Most major software vendors (including Microsoft, Google, Mozilla, Facebook and Yahoo) have some form of bug bounty program and, based on the amounts that have been paid out, bug hunters have found some pretty serious flaws and vulnerabilities.

So, yes, these programs do improve the security of software. There are now several sites such as Bugcrowd that maintain up-to-date lists of all bug bounty programs and streamline the bug submission, review and reward process. Bugcrowd also supports the Internet Bug Bounty sponsored by Microsoft and Facebook, which rewards hackers who contribute to a more secure Internet.

For software vendors that truly want their products to be more secure, the economics of a bug bounty program are very attractive. Instead of having to hire a large in-house team of security experts, all it needs is a technical team to review submissions and verify valid bugs. The complex and time-consuming task of testing and analyzing products is left to the bounty hunters.

Bounty rewards vary depending on the severity of the vulnerability found. Personally, I still think that many programs do not pay high enough rewards, especially given the effort that goes into finding and submitting a proof-of-concept exploit versus the money, data and business reputation that is saved.

Some bounty programs only provide a "hall of fame" page as a way to recognize researchers who've contributed a valid bug. Ali Jones has found various bugs for eBay and is named on its Responsible Disclosure Acknowledgement page, but says he has little incentive to continue analyzing eBay since the company doesn't pay for vulnerability information. Does this lack of reward reflect the true value vendors place on securing their products? Recognition is fine, but until you can spend it on groceries the many very talented coders, especially those based in poorer countries, are unlikely to participate.

Complete security is only achieved when software does what it is expected to do in all conditions. Rewarding people to actively create unexpected conditions provides a way to harness the collective intelligence and capabilities of security researchers around the world and help further improve the quality of code and protect users' data and privacy. Vulnerability research and responsible disclosure is critical to the security of enterprise and customer data, and it needs to be supported -- otherwise the only time vendors will know their products contain serious vulnerabilities is when their customers are under attack.

7 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Yes, because it's often easier for external people to recognize vulnerabilities. It's similar to editing in that respect - you can read an essay you've written multiple times and not see anything wrong, but another pair of eyes can quickly spot a typo you've glossed over. Having an outside resource applied to your systems can be helpful in finding security holes, and a bug bounty program can be particularly helpful because instead of just paying high-priced consultants, you're creating some sense of participation and recognition among experts who may possibly become advocates for your company (if you compensate them well enough, of course).

I think bug bounties find lots of bugs, but from what I’ve seen they are mostly superficial, happy path bugs that a typical cycle would have found anyway. I’ve seen several bug bounty programs with the popular crowdsourcing platforms. Unfortunately, the vast majority of those participating are largely unskilled in the nuances of software testing. When you combine this with the pay-by-the-bug model, what results are a few of the more severe bugs, but most of those involved report numerous bugs that are near trivial just to make the easy money. So, yeah, they find bugs, but as Anagnos said, they create a lot of noise, and I seriously doubt that companies seldom get the value they are looking for out of a bug bounty.

I think that they are beneficial. I have never participated in one, but I understand that the payout can be substantial for finding something like a major security flaw. For testers/hackers who have the skills and are willing to make the time investment, it seems like a great idea.

I'm all for it. If a major software company cannot see the benefit to a reward system like this to find the bugs that may damage it's product and name, then let them suffer the consequences . If the "dark side" of the computer world is willing to pay and not the code developer, who do you trust with this info? Do you expose the flaw and possibly your own data to the world or the developer for not thoroughly beta testing their code?